In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store.Make sure and stay up to date to catch the most emerging threats!

For this packet file_data points to the start of the HTML text. This response body can be chunked/compressed/encoded/etc, and in such cases, file_data points to the dechunked/decompressed/normalized data.

2. SMTP/POP/IMAP data body.

When the traffic is SMTP/POP/IMAP the file_data points to the decoded attachments when decoding is enabled for those preprocessors, otherwise to the entire data body.

The argument "mime" to file_data is deprecated. However, rules that use this argument will still function as they did before.

How does file_data work?

Prior to Snort 2.9.1:

* file_data had to be followed by a relative rule option. Any absolute (non relative) rule options start their search from the beginning of the payload. To access the file_data buffer again, a rule had to specify file_data rule option again.

Examples:
Rules that will work

alert tcp any any -> any any (file_data; content:"<html>"; within:10; ...)alert tcp any any -> any any (file_data; content:"HTTP/1.0"; depth:10; file_data; content:"<html>"; within:10; ...)

Rules that will not work

alert tcp any any -> any any (file_data; content:"<html>"; depth:10; content:"<body>"; within:10;...)alert tcp any any -> any any (file_data; content:"<html>"; depth:10;...)

In Snort 2.9.1:

* Any non-HTTP (without the HTTP modifiers http_uri/http_header/etc.) content matches (relative or absolute) without the keyword "rawbytes" or payload detecting rule options that follow the file_data in a rule will apply to the cursor set by file_data until explicitly reset by other rule options such as pkt_data/base64_data/SIP modifiers.

A new rule option in Snort 2.9.1, "pkt_data", will reset the cursor to the start of the TCP payload. This rule option is intended to give the rule writer the ability to change the context of subsequent detection options. Any content matches (excluding HTTP/rawbytes) and other detection options (such as "byte_test", "byte_jump", etc.) will apply to the TCP payload.

Other rule options that change the cursor are base64_data, sip_header, sip_body, etc.

Example:
Rules that will work

alert tcp any any -> any any (file_data; content:"<html>"; within:10; ...)alert tcp any any -> any any (file_data; content:"<html>"; ...)alert tcp any any -> any any (file_data; content:"<html>"; depth:10; content:"<body>"; within:10;...)alert tcp any any -> any any (file_data; content:"<html>"; depth:10;...)alert tcp any any -> any any (file_data; content:"<html>"; within:10; pkt_data; content:"HTTP/1.0"; depth:10; ....)

Rules that will not work

alert tcp any any -> any any (file_data; content:"<html>"; depth:10; rawbytes;...)alert tcp any any -> any any (file_data; pkt_data; content:"<html>"; depth:10; rawbytes;...)

Thursday, August 25, 2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 55 new rules and make modifications to 19 additional rules.

The registered users of Snort have emailed me and told me that they will not be able to access the snort.conf for 2.9.1 until the 30 day window is open. This is correct, however, for registered users's convenience you may access the 2.9.1 snort.conf here:http://www.snort.org/assets/184/snort.conf

The following changes have been made to the snort.conf in this release:

The Sourcefire VRT has added and modified multiple rules in the backdoor, botnet-cnc, dos, exploit, netbios, rpc, specific-threats, spyware-put and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Please start downloading and using Snort 2.9.1. You should be aware that you'll get some new alerts and things will behave a bit differently with the file_data rule option now because of PAF. For more on PAF please read the README.stream5 documentation file.

* SIP preprocessor to identify SIP call channels and provide
rule access via new rule option keywords. Also includes new
preprocessor rules for anomalies in the SIP communications.
See the Snort Manual and README.sip for details.

* IP Reputation preprocessor, allowing Snort to blacklist or
whitelist packets based on their IP addresses. This preprocessor
is still in an experimental state, so please report any issues
to the Snort team. See README.reputation for more information.

- Updates to content modifier http_cookie to not include
the HTTP header names themselves in the buffer. This change
may affect existing rules that leverage this keyword.

- Updates to the file_data and base64_data rule option keywords
and added a pkt_data rule option keyword that sets the buffer
to be used for subsequent content/pcre/etc rule options.

- Updates to the tcp flag rule option keyword to support 'C'
and 'E' for CWR and ECN bits.

- Updates to byte_extract rule option keyword to support
the same string formats as with byte_test and byte_jump.

* Updates to Snort's build infrastructure and autoconf script
for portability and improved checks for library dependencies.
To facilitate easier building of Snort on many of the different
platforms supported, Snort now uses pkg-config to check for
certain library locations. Obtain pkg-config from freedesktop.org.

* Many updates and improvements to the Snort documentation. Special
thanks to all of the contributors from the Snort community for
working with us and making the documentation more accurate and
usable.

* src/preprocessors/Stream5/: snort_stream5_tcp.c, stream5_paf.c,
stream5_paf.h:
Allow multiple preprocs to scan for PDUs on the same port.
This fixes a problem with DCE autodetect using the same
ports as HTTP.

* src/: detection-plugins/detection_options.c,
detection-plugins/sp_flowbits.h,
dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
dynamic-plugins/sf_engine/examples/Makefile.am,
dynamic-plugins/sf_engine/examples/flowbits_test.c,
dynamic-plugins/sf_engine/examples/rules.c,
dynamic-plugins/sf_engine/examples/web-client_test.c:
Only set/clear/toggle/unset a flowbit when all of the rule
matches, including the IPs and Ports. Thanks to Eoin Miller
for reporting the issue.

Added a new HTTP Inspect preprocessor rule, GID 119 SID 26. This rule checks for 200+ whitespaces in a folded header line from an HTTP request. A new config option was added to configure the allowable amount whitespace.

Added a new configuration option to http_inspect server configuration:
"small_chunk_length { <chunk_size> <num_consec_chunks> }", with preprocessor rules for both client and server. Consecutive chunk lengths less than or equal to <chunk_size> will cause an event to be generated.

* src/output-plugins/spo_alert_sf_socket.c:
Fixed a problem where Snort's generic IP address structure was being sent by the socket output plugin.
The output plugin now only generates events for IPv4 packets, and is guaranteed to use uint32_t IPv4 addresses for interoperability.

* src/sfutil/: sfrt.c, sfrt.h:
Optimized some memory usage.

* configure.in:
Add check for pkg-config and provide instructions to get it if pkg-config is not installed.

* src/preprocessors/Stream5/: snort_stream5_tcp.c,
stream5_common.h:
Show single segment PAF packets and only short-circuit at
correct sequence.
When aborting PAF, flush at paf_max.
Tweaked retransmission check to use actual sequence numbers
instead of the adjusted sequence numbers.
Changed the pseudo-random flush point after each flush.

* src/snort.h:
Fixed a bug where Snort wouldn't daemonize on OpenBSD if the process was running as root. Thanks to Olaf Schreck for reporting this issue.

* src/preprocessors/: perf-base.c, perf-base.h, perf-event.c,
perf-event.h, perf-flow.c, perf-flow.h, perf.c, perf.h,
spp_perfmonitor.c:
Split out Perfmon submodule Init and Reset, so that everything is
initialized when the Perfmonitor preprocessor is initialized.
Previously, some data was initialized on the first packet.

* src/detection-plugins/sp_tcp_flag_check.c:
Fixed a couple spots where the "1" and "2" flags weren't renamed to "C" and "E". Thanks to Joshua Kinard for reporting the issue and supplying a patch.

* doc/README.sip, doc/snort_manual.pdf, doc/snort_manual.tex,
src/dynamic-preprocessors/sip/sip_parser.c,
src/dynamic-preprocessors/sip/spp_sip.h,
preproc_rules/preprocessor.rules, etc/gen-msg.map:
Added a new SIP preprocessor alert for missing content type headers.
Fixed an issue where the SIP preprocessor checked for Stream5 even if the SIP preprocessor was disabled.

Support full 32-bit content-lengths and chunk sizes, and flush/abort when exceeded.

* doc/README.SMTP, doc/snort_manual.tex,
src/dynamic-preprocessors/smtp/smtp_config.h,
src/dynamic-preprocessors/smtp/smtp_util.c,
src/dynamic-preprocessors/smtp/snort_smtp.c,
src/dynamic-preprocessors/smtp/snort_smtp.h,
src/dynamic-preprocessors/smtp/spp_smtp.c:
Fixed performance issue: allocate the buffers used for filename, mailfrom and rcptto logging using mempool ('memcap' used to allocate the mempool).
Added a fatal error when b64_decode_depth is used with enable_mime_decoding.

* configure.in:
Updates to configure.in.
Fix zlib checks to use correctly named variable for checking zlib header and library existence.
Enable IPv6 by default in builds. Can use --disable-ipv6 to turn it off.
Using --enable-zlib, configure should fail. snort -V should show IPv6 by default and VRT config should load without modification.Added a new option, "--enable-large-pcap", which allows Snort to read pcap files that are larger than 2 GB.Changed the default ./configure options to match the requirements for the bundled snort.conf
* doc/: INSTALL, README.imap, README.pop,
README.SMTP, README.stream5, README.sip, README.tag,
README.http_inspect, README.counts, README.normalize,
snort_manual.pdf, snort_manual.tex:
Updated documentation for Snort 2.9.1:Added documentation for new SIP, POP and IMAP preprocessors
Updated README.stream5 with documentation for Protocol Aware Flushing (PAF)
Updated README.http_inspect with memcap information, clarified "http_cookie" information, and documentation for "log_uri" and "log_hostname".
Fixed a typo in README.counts
Updated "byte_extract" section to reflect syntax changes
Improved the explanation of "max_queued_events"
Added documentation for the ESP decoder, which is now configurable
Improved the explanation of "rawbytes"
Fixed an incorrect example in README.tag.
* etc/snort.conf:
Synced snort.conf with VRT's latest version.

Added decoder rules 116:453, 116:454, and 116:455. These rules
were formerly covered by VRT rules.
* src/build.h: Updated build number to 46
* src/decode.c:
TCP and UDP decoder rules that require a fully-decoded packet will only fire if the checksum is correct and the port number is not ignored.

ESP decoding is now configurable, and off by default.

The "config enable_decode_oversized_alerts" option now applies to packets where the UDP header claims there is more data than actually exists.
The Teredo decoder now only processes packets in the Teredo prefix
(2001:0000::/32) or the link-local prefix (fe80::/16).
* src/detection-plugins/sp_cvs.c:
Fixed a false positive in the CVS detection plugin.
* doc/snort_manual.tex, src/detection-plugins/sp_byte_extract.c:
Made some changes to the byte_extract syntax:
Writing "string" without a number type defaults to decimal.
The "string" and "hex/dec/oct" options are now independent of each other, like in byte_test and byte_jump. You can write "string,dec", "hex,string", "string,relative,oct", etc.
Specifying one of "hex", "dec", and "oct" without using "string"
results in an error.
byte_extract options can no longer be delimited by spaces. This does not affect "align <num>" or "multiplier <num>".
* src/: parser.c, util.c, util.h,
detection-plugins/sp_base64_decode.c,
dynamic-plugins/sf_dynamic_plugins.c,
dynamic-plugins/sf_dynamic_preprocessor.h,

Packets will no longer be tagged or logged if they are filtered or passed.
* src/preprocessors/Stream5:
Ensured that reassembly doesn't require packet dropping in IPS mode.
The message "additional ports configured but not printed" is only printed when that is actually the case.
* src/snort.c:
fix output of filename / shutdown alerts sequence when iterating over multiple pcaps with --pcap-show --pcap-reset and console alerts (eg -A cmg or
-A console:test).

Fixed an issue with reloading Snort while the default output options were used.

The AltDetect buffer can also be set by custom .so rules.
* src/parser.c, src/parser.h, src/snort.h, src/output-plugins/spo_unified2.c,
src/sfutil/Unified2_common.h:
IPv6 source and destination addresses are now logged in Unified2 as extra data events. This is configured with "config log_ipv6_extra_data".
* src/dynamic-preprocessors/sip/Makefile.am,
src/dynamic-preprocessors/sip/sf_sip.dsp,
src/dynamic-preprocessors/sip/sip_config.c,
src/dynamic-preprocessors/sip/sip_config.h,
src/dynamic-preprocessors/sip/sip_debug.h,
src/dynamic-preprocessors/sip/sip_dialog.c,
src/dynamic-preprocessors/sip/sip_dialog.h,
src/dynamic-preprocessors/sip/sip_parser.c,
src/dynamic-preprocessors/sip/sip_parser.h,
src/dynamic-preprocessors/sip/sip_roptions.c,
src/dynamic-preprocessors/sip/spp_sip.c,
src/dynamic-preprocessors/sip/spp_sip.h,
src/dynamic-preprocessors/sip/sip_roptions.h,
src/dynamic-preprocessors/sip/sip_utils.c,
src/dynamic-preprocessors/sip/sip_utils.h, doc/README.sip,
etc/gen-msg.map, src/dynamic-preprocessors/sip/test/Makefile.am,
src/dynamic-preprocessors/sip/test/sip_test.c, configure.in,
src/dynamic-preprocessors/Makefile.am:
Added a new preprocessor for SIP traffic.
See README.sip and the Snort Manual for more information.
* src/: dynamic-preprocessors/dcerpc2/dce2_utils.c,
dynamic-preprocessors/dcerpc2/spp_dce2.c,
preprocessors/spp_frag3.c:
Make Frag3 OpenBSD Vuln alert only happen if the frag policy is 'linux' (which includes OpenBSD). The 'bsd' policy is NOT used for OpenBSD, which is the only OS on which the vulnerability was present.

This reduces false positives to only occur when frag3 policy is linux and its an actual linux system, rather than the alert occurring regardless of frag policy.
* src/: detection-plugins/Makefile.am,
detection-plugins/sp_byte_extract.c,
detection-plugins/sp_byte_extract.h,
dynamic-plugins/sf_convert_dynamic.c,
dynamic-plugins/sf_engine/Makefile.am,

dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
dynamic-plugins/sf_engine/sf_snort_detection_engine.h,
dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
dynamic-plugins/sf_engine/sf_snort_plugin_api.h,
dynamic-plugins/sf_engine/sf_snort_plugin_byte.c,
dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c,
dynamic-plugins/sf_engine/sf_snort_plugin_loop.c,
dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
Added support for ByteExtract variables to the .so rule versions of
Content, ByteTest, ByteJump, and isdataat.
* src/: encode.c, preprocessors/spp_normalize.c,
preprocessors/Stream5/snort_stream5_tcp.c,
preprocessors/Stream5/stream5_common.c:
Fixed the TTL on encoded response packets.
* src/: fpcreate.c, fpdetect.c,
detection-plugins/sp_pattern_match.c,
detection-plugins/sp_pattern_match.h,
dynamic-plugins/sf_dynamic_define.h,
dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
Update to not inspect HTTP method buffer with Snort's fast pattern engine.
Rules with only HTTP method content end up as non-content rules.
This eliminates a short cycle of searches with fast pattern on every initial HTTP request.
* src/dynamic-preprocessors/pop/: all files
Added a new preprocessor for POP traffic.
See README.pop for more information.
* src/dynamic-preprocessors/imap/: all files
Added a new preprocessor for IMAP traffic.
See README.imap for more information.
* src/sfutil/: sf_email_attach_decode.c, sf_email_attach_decode.h:
Base64 decoding was moved to its own section in sfutil, for use by the new email preprocessors.

Added PAF support to HTTP Inspect, allowing the preprocessor to determine when HTTP sessions are flushed by Stream5.

See README.stream5 for more details.
* src/preprocessors/: stream_ignore.h, stream_ignore.c,
Stream5/snort_stream5_udp.c:
Added support for ignoring UDP channels. Light weight session will be created to track UDP channel, even ports are not monitored.
* src/win32/: most files
Updated Snort and its libraries to build/link against MFC.

The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, botnet-cnc, netbios, policy, smtp, specific-threats, spyware-put, sql and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 16, 2011

We know a lot of people have been patiently waiting for the impending 2.9.1 release. We did have it scheduled for this week, however, during final regression testing we uncovered some issues that we need to address before the final release.

So, we have re-targeted the Snort 2.9.1 release for early next week to give us time to fix the issues and re-test everything. As always, we'll publish a blog post about the release when it comes to fruition and we'll be following that up over the next few weeks, with several blog posts regarding the new functionality and features.

Monday, August 15, 2011

Snort 2.9.1 that came out in the RC form last month is getting ready to ship, so I thought I'd put out the Release notes. There are a lot of changes in there that will effect how certain rules will work, especially when it comes to HTTP and DCE reassembly. So make sure and read up on PAF!

We've also had a lot of positive feedback about the new IP reputation preprocessor, so we are really looking forward to seeing how users are going to put it to work in their environment.

* IP Reputation preprocessor, allowing Snort to blacklist or
whitelist packets based on their IP addresses. This
preprocessor is still in an experimental state, so please
report any issues to the Snort team.
See README.reputation for more information.

* Many updates and improvements to the Snort documentation. Special
thanks to all of the contributors from the Snort community for
working with us and making the documentation more accurate and
usable.

Two weeks ago at Defcon, several of the VRT were waiting to grab a cab, and the author of this tool saw our Sourcefire shirts and wanted to show us this tool he wrote to be able to monitor Snort alerts on an Android Phone! So after a business card and email exchange or two, I'd like to introduce you to Swinedroid!

Swinedroid is an Android Snort monitoring application. It has a client and server-side component, and works for Snort setups logging to PostgreSQL and MySQL. It's available on the Android market currently, and the source is available here:

The author of this project Roberto Zarrelli wrote me last week while I was at the GFirst conference, and notified me of the listing of his new project "iBlock"'s (For "Intrusion Block") listing on Sourceforge.

A short description of the project:

This tool is a small Linux Daemon that greps the Snort Alert file and blocks the offending hosts via iptables for a given amount of time. iBlock supports the whitelisting of IP addresses so those IPs will never be blocked.

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 20 new rules and make modifications to 8 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:

The Sourcefire VRT has added and modified multiple rules in the backdoor, botnet-cnc, dos, smtp, specific-threats, spyware-put, tftp, and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 9, 2011

* Added 'last time' indicators to summary tab (see the main screenshot for ex.)
* Fixed display logic when viewing spans on summary tab
* Added record count selector to summary tab
* Changed country and signature charts to donut variant. Cleaner
* Truncate long key entries for country and signature charts
* Countries were not being filtered correctly when added to the
exclude filter. This has been fixed

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19680.

Microsoft Security Advisory MS11-064:
The Microsoft implementation of the TCP/IP stack contains programming errors that may allow a remote attacker to cause a Denial of Service (DoS) against an affected system.

A rule to detect attacks targeting these vulnerabilities is included in this release and is identified with GID 1, SID 19678.

Additionally, a previously released rule will detect attacks targeting these vulnerabilities and has been updated with the appropriate reference information. It is included in this release and is identified with GID 1, SID 17410.

Microsoft Security Advisory MS11-066:
A programming error in the Microsoft .NET framework may lead to unauthorized information disclosure.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19694.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19681.

Adobe Security Bulletin APSB11-21:
Adobe Flash Player contains programming errors that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 19682 through 19693.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, August 3, 2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 9 new rules and make modifications to an additional rule.

There were no changes made to the snort.conf in this release.

In VRT's rule release:

The Sourcefire VRT is aware of a programming error in the TimThumb plugin for WordPress that may allow a remote attacker to execute code on an affected system. The vulnerability is present in the timthump.php script which does not correctly process user supplied input, allowing a remote attacker to upload content of their choosing into a directory, which can them be executed by the attacker.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19653.

Additionally, the Sourcefire VRT has added and modified multiple rules in the backdoor, botnet-cnc and exploit rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 2, 2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 31 new rules and make modifications to an additional 2.

There were no changes made to the snort.conf in this release.

In VRT's rule release:

The Sourcefire VRT has added and modified multiple rules in the blacklist, botnet-cnc, exploit, policy and web-activex rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!